From 270e09ab26ca65ba475d18eef78166075549eca2 Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Fri, 25 Aug 2017 21:03:16 +0000
Subject: [PATCH] Use containerd WithUserID.

Signed-off-by: Lantao Liu <lantaol@google.com>
---
 hack/test-e2e-node.sh               |  1 -
 pkg/server/container_create.go      | 18 +++++++-----------
 pkg/server/container_create_test.go |  4 ----
 pkg/server/sandbox_run.go           | 12 +++++-------
 pkg/server/sandbox_run_test.go      |  4 +---
 5 files changed, 13 insertions(+), 26 deletions(-)

diff --git a/hack/test-e2e-node.sh b/hack/test-e2e-node.sh
index c584798a0..d36c1dd96 100755
--- a/hack/test-e2e-node.sh
+++ b/hack/test-e2e-node.sh
@@ -19,7 +19,6 @@ set -o pipefail
 source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh
 
 DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
-DEFAULT_SKIP+="|runAsUser"
 DEFAULT_SKIP+="|scheduling\sa\sGuaranteed\sPod"
 DEFAULT_SKIP+="|scheduling\sa\sBurstable\sPod"
 DEFAULT_SKIP+="|scheduling\sa\sBestEffort\sPod"
diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index afdfb38d4..b8c74dfab 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -140,16 +140,18 @@ func (c *criContainerdService) CreateContainer(ctx context.Context, r *runtime.C
 		containerMetadataLabel: string(metaBytes),
 	}
 
-	specOpts := containerd.WithSpec(spec)
+	var specOpts []containerd.SpecOpts
 	// Set container username. This could only be done by containerd, because it needs
 	// access to the container rootfs. Pass user name to containerd, and let it overwrite
 	// the spec for us.
-	if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
-		specOpts = containerd.WithSpec(spec, containerd.WithUsername(username))
+	if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
+		specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
+	}
+	if username := config.GetLinux().GetSecurityContext().GetRunAsUsername(); username != "" {
+		specOpts = append(specOpts, containerd.WithUsername(username))
 	}
-
 	opts = append(opts,
-		specOpts,
+		containerd.WithSpec(spec, specOpts...),
 		containerd.WithRuntime(defaultRuntime),
 		containerd.WithContainerLabels(labels))
 	var cntr containerd.Container
@@ -270,12 +272,6 @@ func (c *criContainerdService) generateContainerSpec(id string, sandboxPid uint3
 	// Set namespaces, share namespace with sandbox container.
 	setOCINamespaces(&g, securityContext.GetNamespaceOptions(), sandboxPid)
 
-	runAsUser := securityContext.GetRunAsUser()
-	if runAsUser != nil {
-		// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
-		g.SetProcessUID(uint32(runAsUser.GetValue()))
-	}
-
 	supplementalGroups := securityContext.GetSupplementalGroups()
 	for _, group := range supplementalGroups {
 		g.AddProcessAdditionalGid(uint32(group))
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index 717d1d9ca..6d2d80c68 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -91,7 +91,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 				},
 				SupplementalGroups: []int64{1111, 2222},
 				NoNewPrivs:         true,
-				RunAsUser:          &runtime.Int64Value{Value: 255},
 			},
 		},
 	}
@@ -144,9 +143,6 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 		assert.NotContains(t, spec.Process.Capabilities.Permitted, "CAP_CHOWN")
 		assert.NotContains(t, spec.Process.Capabilities.Ambient, "CAP_CHOWN")
 
-		t.Logf("Check uid")
-		assert.EqualValues(t, spec.Process.User.UID, 255)
-
 		t.Logf("Check supplemental groups")
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
 		assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
diff --git a/pkg/server/sandbox_run.go b/pkg/server/sandbox_run.go
index 9889db5b0..ba6556ded 100644
--- a/pkg/server/sandbox_run.go
+++ b/pkg/server/sandbox_run.go
@@ -126,8 +126,12 @@ func (c *criContainerdService) RunPodSandbox(ctx context.Context, r *runtime.Run
 		sandboxMetadataLabel: string(metaBytes),
 	}
 
+	var specOpts []containerd.SpecOpts
+	if uid := config.GetLinux().GetSecurityContext().GetRunAsUser(); uid != nil {
+		specOpts = append(specOpts, containerd.WithUserID(uint32(uid.GetValue())))
+	}
 	opts := []containerd.NewContainerOpts{
-		containerd.WithSpec(spec),
+		containerd.WithSpec(spec, specOpts...),
 		containerd.WithContainerLabels(labels),
 		containerd.WithRuntime(defaultRuntime),
 		containerd.WithNewSnapshotView(id, image.Image)}
@@ -268,12 +272,6 @@ func (c *criContainerdService) generateSandboxContainerSpec(id string, config *r
 
 	// TODO(random-liu): [P1] Apply SeLinux options.
 
-	runAsUser := securityContext.GetRunAsUser()
-	if runAsUser != nil {
-		// TODO(random-liu): We should also set gid. Use containerd#1425 instead.
-		g.SetProcessUID(uint32(runAsUser.GetValue()))
-	}
-
 	supplementalGroups := securityContext.GetSupplementalGroups()
 	for _, group := range supplementalGroups {
 		g.AddProcessAdditionalGid(uint32(group))
diff --git a/pkg/server/sandbox_run_test.go b/pkg/server/sandbox_run_test.go
index a69dc29e0..0a1996bf6 100644
--- a/pkg/server/sandbox_run_test.go
+++ b/pkg/server/sandbox_run_test.go
@@ -128,16 +128,14 @@ func TestGenerateSandboxContainerSpec(t *testing.T) {
 			},
 			expectErr: true,
 		},
-		"should set user correctly": {
+		"should set supplemental groups correctly": {
 			configChange: func(c *runtime.PodSandboxConfig) {
 				c.Linux.SecurityContext = &runtime.LinuxSandboxSecurityContext{
-					RunAsUser:          &runtime.Int64Value{Value: 255},
 					SupplementalGroups: []int64{1111, 2222},
 				}
 			},
 			specCheck: func(t *testing.T, spec *runtimespec.Spec) {
 				require.NotNil(t, spec.Process)
-				assert.EqualValues(t, spec.Process.User.UID, 255)
 				assert.Contains(t, spec.Process.User.AdditionalGids, uint32(1111))
 				assert.Contains(t, spec.Process.User.AdditionalGids, uint32(2222))
 			},